Detecting BYOVD Attacks
How to detect BYOVD (bring-your-own-vulnerable-driver) attacks — the driver-load and service-creation signals, a Sigma rule, the LOLDrivers list, and HVCI hardening.
6 articles
How to detect BYOVD (bring-your-own-vulnerable-driver) attacks — the driver-load and service-creation signals, a Sigma rule, the LOLDrivers list, and HVCI hardening.
How to detect AD CS abuse — the ESC1 and ESC8 escalation paths, the CVE-2022-26923 case, certificate-request audit events, and the template hardening that stops it.
How to detect LOLBins without false positives — flag abuse of certutil, regsvr32, mshta and rundll32 by behavior, with a Sigma rule and allowlist tuning.
A practical Sysmon configuration for threat detection — the event IDs that matter, a tuned config approach, what to send to your SIEM, and the rules it powers.
How to detect and defend against NTLM relay — coercion primitives, the CVE-2025-24054 case, ADCS ESC8 audit events, and the SMB/LDAP signing plus EPA that stop it.
How to detect LSASS credential dumping — the Sysmon process-access signal, suspicious GrantedAccess masks, a Sigma rule, and the LSA protections that prevent it.